[tz] Use or Apply for SPDX Licence

Paul Eggert eggert at cs.ucla.edu
Sun Jun 21 18:18:05 UTC 2020

On 6/21/20 8:26 AM, Brian Inglis wrote:

> SPDX is under the Linux Foundation, and Linux has now been plastered with SPDX
> labels in all source files, and other projects are adding them, to reduce the
> effort of replying to compliance/risk management and other queries from supply
> chain managers: keeping product acquisition staff busy working from home.

I just checked, and the string "SPDX" is in about 26% of Linux source files, so
apparently SPDX labeling is typically not needed universally even within its
home project. From the Linux point of view, perhaps tzdb source could also fall
under the category of "labeling not needed".

Also, I'm not seeing many questions from compliance/risk management people on
this mailing list - after all, the LICENSE file is pretty clear to anybody who
does this sort of thing for a living - so perhaps the need for SPDX labeling is
not so great for tzdb.

> As there are concerns about IERS leap-seconds.list on this list, European and
> other country product compliance/risk management/supply chain staff have
> concerns about tz content.

Fair enough, but SPDX tagging won't solve that problem, just as the lack of SPDX
tagging in the IERS leap-seconds.list isn't the fundamental problem that we have
with using that file.

One of my worries here is that SPDX tagging will give people even more arguments
to sue me and/or the IANA. The SPDX website keeps saying things like "Certifier
recognizes that his good faith efforts may not shield him from liability if in
fact the work certified is not in the public domain." This leads me to think
that I don't want to be an SPDX certifier, and would rather that somebody else
take the additional legal liability that would arise from SPDX tagging. I've
already been sued one time too many for my volunteer work.

More information about the tz mailing list